From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 9A9DA987D5 for ; Tue, 25 Apr 2023 12:21:54 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 790663A65C for ; Tue, 25 Apr 2023 12:21:54 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Tue, 25 Apr 2023 12:21:53 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 1ABE145442 for ; Tue, 25 Apr 2023 12:21:53 +0200 (CEST) From: Markus Frank To: pve-devel@lists.proxmox.com Date: Tue, 25 Apr 2023 12:21:32 +0200 Message-Id: <20230425102136.85334-3-m.frank@proxmox.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20230425102136.85334-1-m.frank@proxmox.com> References: <20230425102136.85334-1-m.frank@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.055 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [accesscontrol.pm, directory.pm, rpcenvironment.pm] Subject: [pve-devel] [PATCH access-control v4 2/6] added acls for Shared Files Directories X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Apr 2023 10:21:54 -0000 Signed-off-by: Markus Frank --- src/PVE/API2/Directory.pm | 68 +++++++++++++++++++++++++++++++++++++++ src/PVE/AccessControl.pm | 16 +++++++++ src/PVE/RPCEnvironment.pm | 12 ++++++- 3 files changed, 95 insertions(+), 1 deletion(-) create mode 100644 src/PVE/API2/Directory.pm diff --git a/src/PVE/API2/Directory.pm b/src/PVE/API2/Directory.pm new file mode 100644 index 0000000..b44ba9d --- /dev/null +++ b/src/PVE/API2/Directory.pm @@ -0,0 +1,68 @@ +package PVE::API2::Directory; + +use strict; +use warnings; + +use PVE::Exception qw(raise raise_perm_exc raise_param_exc); +use PVE::Cluster qw (cfs_read_file cfs_write_file); +use PVE::Tools qw(split_list extract_param); +use PVE::JSONSchema qw(get_standard_option register_standard_option); +use PVE::SafeSyslog; + +use PVE::AccessControl; +use PVE::Auth::Plugin; +use PVE::TokenConfig; + +use PVE::RESTHandler; +use PVE::DirConfig; + +use base qw(PVE::RESTHandler); + +__PACKAGE__->register_method ({ + name => 'index', + path => '', + method => 'GET', + description => "simple return value of parameter 'text'", + parameters => { + additionalProperties => 0, + properties => { + node => { + type => 'string', + } + }, + }, + returns => { + type => 'string', + }, + code => sub { + my ($param) = @_; + return $param->{node}; + } +}); + + +__PACKAGE__->register_method ({ + name => 'add_dir', + path => 'add', + method => 'POST', + description => "simple return value of parameter 'text'", + parameters => { + additionalProperties => 0, + properties => { + directory => { + type => 'string', + }, + node => { + type => 'string', + } + }, + }, + returns => { + type => 'string', + }, + code => sub { + my ($param) = @_; + + return $param->{node}; + } +}); diff --git a/src/PVE/AccessControl.pm b/src/PVE/AccessControl.pm index 5690a1f..6530753 100644 --- a/src/PVE/AccessControl.pm +++ b/src/PVE/AccessControl.pm @@ -1133,6 +1133,18 @@ my $privgroups = { 'Pool.Audit', ], }, + Map => { + root => [], + admin => [ + 'Map.Modify', + ], + user => [ + 'Map.Use', + ], + audit => [ + 'Map.Audit', + ], + }, }; my $valid_privs = {}; @@ -1166,6 +1178,8 @@ sub create_roles { } $special_roles->{"PVETemplateUser"} = { 'VM.Clone' => 1, 'VM.Audit' => 1 }; + + delete($special_roles->{"PVEAdmin"}->{'Map.Modify'}); }; create_roles(); @@ -1262,6 +1276,8 @@ sub check_path { |/storage/[[:alnum:]\.\-\_]+ |/vms |/vms/[1-9][0-9]{2,} + |/map/dirs + |/map/dirs/[[:alnum:]\.\-\_]+ )$!xs; } diff --git a/src/PVE/RPCEnvironment.pm b/src/PVE/RPCEnvironment.pm index 8586938..42ff287 100644 --- a/src/PVE/RPCEnvironment.pm +++ b/src/PVE/RPCEnvironment.pm @@ -187,10 +187,11 @@ sub compute_api_permission { nodes => qr/Sys\.|Permissions\.Modify/, sdn => qr/SDN\.|Permissions\.Modify/, dc => qr/Sys\.Audit|SDN\./, + map => qr/Map\.Modify/ }; map { $res->{$_} = {} } keys %$priv_re_map; - my $required_paths = ['/', '/nodes', '/access/groups', '/vms', '/storage', '/sdn']; + my $required_paths = ['/', '/nodes', '/access/groups', '/vms', '/storage', '/sdn', '/map']; my $defined_paths = []; PVE::AccessControl::iterate_acl_tree("/", $usercfg->{acl_root}, sub { my ($path, $node) = @_; @@ -245,6 +246,7 @@ sub get_effective_permissions { '/sdn' => 1, '/storage' => 1, '/vms' => 1, + '/map' => 1, }; my $cfg = $self->{user_cfg}; @@ -361,6 +363,14 @@ sub check_vm_perm { return $self->check_full($user, "/vms/$vmid", $privs, $any, $noerr); }; +sub check_dir_perm { + my ($self, $user, $dirid, $privs, $any, $noerr) = @_; + + my $cfg = $self->{user_cfg}; + + return $self->check_full($user, "/map/dirs/$dirid", $privs, $any, $noerr); +}; + sub is_group_member { my ($self, $group, $user) = @_; -- 2.30.2